How to renew Kubernetes (K8) certificate? Error: Unable to connect to the server: x509: certificate has expired or is not yet valid


Check for the validity using below commands;
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep "Not After"
openssl x509 -in /etc/kubernetes/pki/apiserver-kubelet-client.crt -text -noout | grep "Not After"
openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text -noout | grep "Not After"

We can renew K8 certs using a script which is present in "/opt/fortanix/sdkms/bin/". You need to run the script on node by node as it reboots the node.

Here are the steps:
1. run the script on NODE1. Wait until it reboots and brings all the sdkms services on that node
2. run kubectl get pods -owide and verify all the services are up on all nodes.
3. Repeat for NODE 3
In this process, sdkms disk usage alert will be cleared.

As this script reboots the node, you have to run it on each node at a time. Even though this activity doesn't disrupt service, make sure you do this in a maintenance window to avoid any surprises.

Thank you!



Please sign in to leave a comment.

Didn't find what you were looking for?

New post